On Sat, Jul 26, 2014 at 10:39:57AM +0200, Frank Lanitz wrote: > Package: iceweasel > Version: 31.0-1 > Severity: normal > > Dear Maintainer, > > With latest updates I'm not able anymore to add an exception for HTTPS if > iceweasel is not knowing the issuer of an certificate.This is very disturbing > as e.g. Debian has also removed CAcert from list of certs so even I have the > fingerprint of the cert of a server, I cannot add them as "ok" without doing > some workaround via about:config. > > I'm only getting > <domain> uses an invalid security certificate. > The certificate is not trusted because the issuer certificate is unknown. > (Error code: sec_error_unknown_issuer) > > without any further option than 'Get me out of here!'
If the site in question is using HSTS, this is expected, as it's exactly how it's supposed to work. For instance, if I go to https://www.cacert.org/, I go get a sec_error_unknown_issuer, but I get a "Get me out of here!" button. On the other hand, see https://bugzilla.mozilla.org/show_bug.cgi?id=1014387: a couple months ago, I was getting a sec_error_unknown_issuer without a "Get me out of here!" on https://panopticlick.eff.org/ because the server wasn't sending an intermediate certificate and eff.org is HSTS. (it's fixed now) I'm pretty sure you're hitting something similar. Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
